| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
Log Type | Ingestion label | Preferred Logging Protocol - Format | Log collection method | Data Source |
|---|---|---|---|---|
SentinelOne EDR | SENTINEL_EDR | Syslog - CEF2 | CyberHub | NA |
Sentinelone Alerts | SENTINELONE_ALERT | API - JSON | C2C | https://cloud.google.com/chronicle/docs/reference/feed-management-api#sentinelone-alert |
Port Requirements
Source | Destination | Port |
|---|---|---|
SentinelOne EDR | CyberHub | 6514 (TCP) |
...
Select TEST
If the test passed, select SAVE
Configuration for SentinelOne EDR (Alert)
| Info |
|---|
For log collection we need FQDN name of your SentinelOne API and API Token Key from customer which need to use in sensor configuration. |
Pre-requisite: Need a user in the device which has Viewer role assigned.
Log in to Device Management Console, navigate to extreme right corner and click User Name > My User
...
The following pop up appears
...
Click Generate API Token.
Copy the API token.
Integration Parameters
Parameters required from customer for Integration.
SentinelOne EDR
Property | Default Value | Description |
|---|---|---|
IP Address | SentinelOne EDR interface IP address | Hostname or IP address of the device which forwards logs to the CyberHub |
SentienlOne EDR (Alert)
Parameter Display Name | Default Value | Description |
|---|---|---|
AUTHENTICATION HTTP HEADERS | N/A | The HTTP header used to authenticate SentinelOne Alerts/Threats & static-indicator API in "key:value" format. |
API HOSTNAME | N/A | The fully qualified domain name of your SentinelOne API. |
INITIAL START TIME | N/A | Time since when the alerts should be fetched Eg- 2000-01-01T01:01:01.000001Z |
IS ALERT API SUBSCRIBED | N/A | Whether alerts API is subscribed by the customer |
ASSET NAMESPACE | N/A | To assign an asset namespace to all events that are ingested from a particular feed, set the |